b"\xc2\xa0\n\n\n\n\n    INTERNATIONAL TRADE\n    ADMINISTRATION\n    Improvements Are Needed\n    to Strengthen ITA\xe2\x80\x99s\n    Information Technology\n    Security Program\n\n\n\n\n    FINAL REPORT NO. OIG-12-037-A\n    SEPTEMBER 27, 2012\n\n\n\n    U.S. Department of Commerce\n    Office of Inspector General\n    Office of Audit and Evaluation\n\n    FOR PUBLIC RELEASE\n\n\n\n\n\xc2\xa0\n\x0c                                                       UNITED STATES DEPARTMENT OF COMMERCE\n                                                       Office of Inspector General\n                                                       Washington. D.C. 20230\n\n\n\n\n September 27, 2012\n\n MEMORANDUM FOR:               Francisco J. Sanchez\n                               Under Secretary of Commerce for International Trade\n\n\n FROM:                         Allen Crawley \n  \xc2\xa3lb_ C::\n                               Assistant Inspector General for Systems Acquisition \n\n                                and IT Security \n\n\nSUBJECT: \t                     FY 20 12 Federal Information Security Management Act Audit:\n                               Improvements are Needed to Strengthen ITA's Information Technology\n                                 Security Program, Final Report No. OIG-12-037-A\n\nAttached is the final report of our audit of ITA's information security program and practices,\nwhich we conducted to meet our obligations under the Federal Information Security\nManagement Act (FISMA). In fiscal year (FY) 20 12, we assessed the security of six ITA systems.\n\nWe found weaknesses in these ITA systems, including inadequate security categorization that\nmay affect protection of critical bureau information and security control deficiencies that\nincrease the likelihood of a successful cyber attack. The security control deficiencies include\n(a) deficiencies with vulnerability scanning and patch management, (b) weaknesses in securing\ndatabases, (c) the presence of unauthorized software and use of unauthorized removable media,\nand (d) risks related to network implementation.\n\nWe are pleased that, in response to our draft report, you concurred with our findings and\nrecommendations. We have summarized your response in the report and included the\nresponse as an appendix. We will post this report on OIG's website.\n\nIn accordance with Department Administrative Order 213-5, please provide us with your\naction plan within 60 calendar days from the date of this memorandum. The plan should outline\nactions you propose to take to address each recommendation.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our audit.\nPlease direct any inquiries regarding this report to me at (202) 482-1855 and refer to the\nreport title in all correspondence.\n\nAttachment\n\ncc: \t   Simon Szykman, Chief Information Officer\n        Renee Macklin, Chief Information Officer, ITA\n        Tim Hurr, Acting Director, Office of Cyber Security\n        jeffrey Jackson, Chief Information Security Officer, ITA\n        Justin Guz, Audit Liaison, ITA\n        Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\x0c                                              Report In Brief                                   S E P T E MB E R 2 7 , 2 0 1 2\n\n\n\n\nBackground                                INTERNATIONAL TRADE ADMINISTRATION\nThe International Trade Administra-       Improvements Are Needed to Strengthen ITA\xe2\x80\x99s\ntion (ITA) helps improve the global       Information Technology Security Program\nbusiness environment\xe2\x80\x94and U.S.\ncompanies compete at home and             OIG-12-037-A\nabroad\xe2\x80\x94through export promotion\nand commercial diplomacy, as well as      WHAT WE FOUND\nshaping trade policy, market access,\nand enforcement of U.S. trade laws.       We found weaknesses in the six ITA systems we reviewed, including inadequate security\n                                          categorization that may affect protection against critical information and security control\nTo fulfill its critical missions ITA      deficiencies that increase the likelihood of a successful cyber attack. The security control\nheavily relies on information tech-       deficiencies include (a) deficiencies with vulnerability scanning and patch management, (b)\nnology (IT), particularly the Internet,   weaknesses in securing databases, (c) the presence of unauthorized software and use of\nto conduct its business, and inevita-     unauthorized removable media, and (d) risks related to network implementation:\nbly faces greater cybersecurity risks.\nIn recent years, ITA has become a           Deficiencies with vulnerability scanning and patch management. ITA\xe2\x80\x99s vulnerability scanning\nfrequent target of cyber attacks. In        of system components and patch management for software products do not effectively\norder to minimize the serious               identify or remediate security weaknesses.\ndamage caused by cyber attacks,             Weaknesses in securing databases. ITA improperly configured one database to use a\nITA has taken action such as con-           blank password for authentication to a database administrator account. We also\nsolidating Internet access through a        identified three additional improperly configured databases that, if exploited, could\ncentralized service.                        allow excessive privileges to access sensitive information.\nWhy We Did This Review                      The presence of unauthorized software and use of unauthorized removable media. ITA has\n                                            unauthorized software on its network and lacks controls to prevent the use of\nThe Federal Information Security            unauthorized USB devices, thus opening its systems to additional risks, such as\nManagement Act of 2002 (FISMA)              information exfiltration.\nrequires agencies to secure sys-\ntems against the loss, misuse, or           Risks related to network implementation. ITA\xe2\x80\x99s network implementation allows network\nunauthorized access to or modifica-         traffic to flow freely between computing components, which could pose a greater\ntion of information collected or            security risk on ITA systems and information.\nmaintained by, or on behalf of, an\nagency. In addition, FISMA requires\n                                          WHAT WE RECOMMEND\ninspectors general to evaluate            We recommend that the Under Secretary of Commerce for International Trade:\nagencies\xe2\x80\x99 information security\nprograms and practices by assess-           1.\t Ensure that system owners and appropriate ITA officials collaborate to identify\ning a representative subset of                  and categorize all information processed, stored, or transmitted by each system\nagency systems, with results re-                and categorize each system accordingly;\nported to the Office of Manage-             2.\t Mitigate the remaining vulnerabilities identified by our vulnerability scan \n\nment and Budget (OMB), Depart-                  assessments; \n\nment of Homeland Security, and\nCongress annually.                          3.\t Improve the patch management process by (a) making timely patches for all\n                                                software products and (b) coordinating within ITA to comprehensively identify\nAs part of an overall assessment of             and remediate software flaws in a timely manner;\nthe Department\xe2\x80\x99s IT security pro-\ngram, we evaluated information              4. \t Address and fully implement critical security settings in database configuration \n\nsecurity controls and security-                  checklists; \n\nrelated documentation for six ITA           5.\t Ensure that only authorized software and USB devices are used on both servers\nsystems. Our objective was to de-               and workstations; and\ntermine whether key security meas-\nures adequately protect ITA\xe2\x80\x99s sys-          6. \t Strengthen the worldwide enterprise network\xe2\x80\x99s security posture by reducing the\ntems and information.                            threats associated with allowing network traffic to flow freely between all\n                                                 computing components.\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                                                 OFFICE OF INSPECTOR GENERAL\n\n\nContents \n\nIntroduction .......................................................................................................................................................1\n\xc2\xa0\nFindings and Recommendations ....................................................................................................................2\n\xc2\xa0\n   I.\t\xc2\xa0 Inadequate Security Categorization May Affect Protection of Critical\n\n        Bureau Information ..............................................................................................................................2\n\xc2\xa0\n   II.\t\xc2\xa0 Security Control Deficiencies Increase the Likelihood of a Successful Cyber Attack ..........3\n\xc2\xa0\n       A.\t\xc2\xa0 Deficiencies with Vulnerability Scanning and Patch Management .........................................3\n\xc2\xa0\n       B.\t\xc2\xa0 Weaknesses in Securing Databases .............................................................................................4\n\xc2\xa0\n       C.\t\xc2\xa0 Risks Associated with the Presence of Unauthorized Software and Use of\n\n            Unauthorized Removable Media ..................................................................................................5\n\xc2\xa0\n       D.\xc2\xa0 Risks Related to Network Implementation ...............................................................................6\n\xc2\xa0\n   Conclusion .....................................................................................................................................................7\n\xc2\xa0\n   Recommendations ...........................................................................................................................................7\n\xc2\xa0\nSummary of Agency Response and OIG Comments................................................................................8\n\xc2\xa0\nAppendix A: Objectives, Scope, and Methodology ...................................................................................9\n\xc2\xa0\nAppendix B: Agency Response ................................................................................................................... 11\n\xc2\xa0\n\n\n\n\n                                                                                                                    COVER:\xc2\xa0Detail\xc2\xa0of\xc2\xa0fisheries\xc2\xa0pediment,\xc2\xa0\n                                                                                                           U.S.\xc2\xa0Department\xc2\xa0of\xc2\xa0Commerce\xc2\xa0headquarters,\n\xc2\xa0\n                                                                                                                   by\xc2\xa0sculptor\xc2\xa0James\xc2\xa0Earle\xc2\xa0Fraser,\xc2\xa01934\n\n\n\n\n\nFINAL REPORT NO. OIG-12-037-A\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                   OFFICE OF INSPECTOR GENERAL\n\n\nIntroduction \n\nThe strength of the nation\xe2\x80\x99s economy continues to depend on global trade, with the United\nStates exporting nearly $2 trillion worth of goods and services.1 The International Trade\nAdministration (ITA) plays an important role in improving the global business environment and\nhelping U.S. companies compete at home and abroad through export promotion, commercial\ndiplomacy, shaping industry-specific trade policy, market access, and enforcement of U.S. trade\nlaws.\n\nTo fulfill its critical missions ITA heavily relies on information technology (IT), particularly the\nInternet, to conduct its business, and inevitably faces greater cybersecurity risks. In recent\nyears, ITA has become a frequent target of cyber attacks. For example, in November 2011, ITA\nwas notified of a serious cyber attack that had compromised a significant number of its servers,\nwhich allowed the attacker to gain full control of ITA\xe2\x80\x99s entire enterprise network and access to\nuser account credentials. ITA\xe2\x80\x99s investigation of this incident found 66 malicious files residing on\nits servers and workstations, some present since September 2007. In order to minimize the\nserious damage caused by this attack, ITA changed all user passwords, consolidated all Internet\naccess through a centralized service, and made architectural changes to its network.\n\nThe Federal Information Security Management Act of 2002 (FISMA)2 requires agencies to\nsecure systems through the use of cost-effective management, operational, and technical\ncontrols. The goal is to provide adequate security commensurate with the risk and extent of\nharm resulting from the loss, misuse, or unauthorized access to or modification of information\ncollected or maintained by or on behalf of an agency. In addition, FISMA requires inspectors\ngeneral to evaluate agencies\xe2\x80\x99 information security programs and practices by assessing a\nrepresentative subset of agency systems, and the results are reported to the Office of\nManagement and Budget (OMB), Department of Homeland Security, and Congress annually.\n\nAs part of an overall assessment of the Department\xe2\x80\x99s IT security program, we evaluated\ninformation security controls and security-related documentation for six ITA systems. Our\nobjective was to determine whether key security measures adequately protect ITA\xe2\x80\x99s systems\nand information. See appendix A for details regarding our objective, scope, and methodology.\n\n\xc2\xa0\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n    See ITA\xe2\x80\x99s FY 2012\xe2\x80\x932016 Strategic Plan.\n2\n    44 U.S.C. \xc2\xa7 3541 et seq. (2002).\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                      1\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                            OFFICE OF INSPECTOR GENERAL\n\n\nFindings and Recommendations \n\n    I.\t       Inadequate Security Categorization May Affect Protection of Critical\n              Bureau Information\n\n       ITA does not have assurance that it has implemented sufficient security controls to protect\n       its information systems, because it has not adequately performed the required step of\n       identifying the critical information in the systems.\n\n       In order to protect its systems, an organization first needs to consider all information that a\n       system processes, stores, or transmits to determine risks to the system and then select\n       appropriate security controls. This process, referred to as security categorization,3 identifies\n       the impact level for a system as high, moderate, or low based on the potential impact to an\n       organization, should an event jeopardize its information and information systems. A system\n       with a higher impact level would require the organization to implement more stringent\n       security controls, compared to one with a lower impact level.\n\n       ITA conducted a security categorization for its information and systems, and it determined\n       that all information on its systems is publically available, resulting in an overall rating of\n       moderate for its systems and information. However, we found ITA\xe2\x80\x99s analysis to be\n       inadequate; the information security categorization may be at a higher impact level. For\n       example, we identified global trade information collected and processed by ITA that, if\n       compromised, could have severe negative impact to ITA\xe2\x80\x99s mission. Specifically, this includes\n       business proprietary information provided by domestic and foreign industries to ITA\xe2\x80\x99s\n       Import Administration Antidumping/Countervailing Duty office to initiate and support\n       dumping or illegal subsidies investigations. National Institute of Standards and Technology\n       (NIST) recommends a security categorization of high for such information, which is\n       protected against disclosure by administrative protective orders and other laws. According\n       to senior ITA officials, if this information becomes inadvertently revealed, it could\n       undermine future investigations and the trust businesses place with ITA.\n\n       The reason for this inadequate categorization was that ITA did not conduct a\n       comprehensive review of all critical business information on its systems. Instead, ITA based\n       its categorization only on a review of information processed, stored, and transmitted by its\n       e-mail system. By taking this approach, we believe ITA categorized its systems at a lower\n       impact level, thus requiring less stringent security controls.\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n3\n Federal Information Processing Standard (FIPS) 199 provides security categorization guidance for nonnational\nsecurity systems. National Institute of Standards and Technology, February 2004. Standards for Security\nCategorization of Federal Information and Information Systems, FIPS 199. Gaithersburg, MD: NIST.\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                                   2\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                               OFFICE OF INSPECTOR GENERAL\n\n\n    II.\t      Security Control Deficiencies Increase the Likelihood of a Successful Cyber\n              Attack\n\n       We identified security vulnerabilities in ITA system components (e.g., servers, workstations,\n       and routers) that increase exposure to cyber attacks and place mission critical data and\n       systems at risk. These weaknesses exist, in part, due to deficient vulnerability scanning and\n       inadequate patch management. Weaknesses further arise due to improperly secured\n       databases. In addition, ITA has unauthorized software on its network and lacks controls to\n       prevent the use of unauthorized Universal Serial Bus (USB) devices,4 thus opening its\n       systems to additional security risks. Finally, the potential impact of all vulnerabilities\n       identified is significantly greater because of weaknesses in the implementation of ITA\xe2\x80\x99s\n       worldwide enterprise network.\n\n       A.\t Deficiencies with Vulnerability Scanning and Patch Management\n\n              ITA\xe2\x80\x99s vulnerability scanning of system components and patch management for software\n              products (e.g., Adobe Acrobat, Adobe Flash Player, and Oracle Java) do not effectively\n              identify or remediate security weaknesses. We assessed over 200 system components\n              from ITA\xe2\x80\x99s operational systems and found that more than 75 percent of the\n              components had significant vulnerabilities due to missing patches, some available for\n              over 5 years (see figure 1, next page). In fact, attackers could compromise these\n              vulnerable components using known exploits to gain initial unauthorized access,\n              maintain access, and exfiltrate5 sensitive data. ITA informed us that it could not install\n              some security patches due to legacy applications but planned to address this issue when\n              upgrading the applications.\n\n              We did find, however, that ITA has an automated process for patching vulnerabilities\n              associated with Microsoft operating systems and Office desktop productivity software\n              used within its operational systems. In addition, prior to our audit, ITA recognized it had\n              serious deficiencies with patching software products and began developing a process to\n              address this issue. However, improvements are needed to address the following\n              additional deficiencies we found:\n\n                      \xef\x82\xb7\t Deficiencies in server scanning process resulted in ITA servers not being scanned for\n                         vulnerabilities. Of the 257 servers in ITA\xe2\x80\x99s operational systems, 36 of the servers\n                         (14 percent) were not being scanned. This issue resulted from a lack of\n                         coordination between ITA\xe2\x80\x99s network operations and IT security organizations.\n\n                      \xef\x82\xb7\t ITA did not scan network routers using administrator-level credentials. Credentialed\n                         scans would have allowed the scanning tool to perform a more exhaustive and\n                         accurate examination of the routers.\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n4\n  Universal Serial Bus (USB) is a standard for connecting electronic devices such as thumb drives, MP3 players, and\ndigital cameras, to computers.\n5\n  Exfiltrate, in the context of this report, refers to the unauthorized transfer of sensitive information from an\norganization to external entities.\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                                         3\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                                              OFFICE OF INSPECTOR GENERAL\n\n                      \xef\x82\xb7\t Since July 2011, ITA had not patched servers running virtualized operating systems.\n                         Our analysis determined that the vendor had released critical patches for flaws\n                         that can potentially allow attackers to gain unauthorized access, and perform\n                         denial of service attacks.\n\n                                        Figure 1. Percentage of ITA System Components Affected \n\n                                                 By Vulnerabilities, by Patch Release Year\n\n\n                                                                      90%\n                                   Percentage\xc2\xa0of\xc2\xa0Computers\xc2\xa0Affected\n\n\n                                                                      80%\n                                                                      70%\n                                                                      60%                                      System\xc2\xa0Components\xc2\xa0\n                                                                      50%                                      Vulnerable\xc2\xa0Due\xc2\xa0to\xc2\xa0Missing\xc2\xa0\n                                                                                                               Patches\n                                                                      40%\n                                                                      30%\n                                                                                                               Vulnerable\xc2\xa0System\xc2\xa0\n                                                                      20%                                      Components\xc2\xa0That\xc2\xa0Can\xc2\xa0Be\xc2\xa0\n                                                                      10%                                      Compromised\xc2\xa0Due\xc2\xa0to\xc2\xa0\n                                                                                                               Known\xc2\xa0Exploits\n                                                                      0%\n                                                                            Before\xc2\xa0 2008 2009 2010 2011 2012\n                                                                             2008\n                                                                                    Patch\xc2\xa0Release\xc2\xa0Year\n\n                             Source: OIG vulnerability scans and analysis\n\n                             Note: A system component may have multiple missing patches released in different years. \n\n\n       B.\t Weaknesses in Securing Databases\n\n              Configuration settings control6 has been a long-standing FISMA requirement and an\n              essential and fundamental aspect of securing an information system. However, our\n              assessment of ITA\xe2\x80\x99s databases revealed serious vulnerabilities. For example, ITA\n              improperly configured one database to use a blank password for authentication to a\n              database administrator account. We validated this vulnerability by successfully gaining\n              access to this account. After further analysis, we determined that an attacker could\n              exploit additional improperly configured database settings to gain access to the\n              underlying operating system, thus obtaining full control of the server. We also identified\n              three additional improperly configured databases that, if exploited, could allow excessive\n              privileges to access sensitive information (e.g., system user passwords).\n\n              Adequately implemented configuration settings control has the potential to compensate\n              for other types of vulnerabilities and can limit the impact of cyber attacks. At the time of\n              our fieldwork, ITA was working to implement this control by establishing secure\n              configuration checklists for various IT products, including databases. However, these\n              database checklists did not address critical secure configuration settings that resulted in\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n6\n    Configuration settings control CM-6 is a required control listed in NIST SP 800-53.\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                                                               4\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                   OFFICE OF INSPECTOR GENERAL\n\n        these vulnerabilities. ITA needs to establish adequate secure configuration checklists for\n        its databases and then implement them.\n\n    C.\t Risks Associated with the Presence of Unauthorized Software and Use of Unauthorized\n        Removable Media\n\n        Preventing both the execution of unauthorized software and the use of unauthorized\n        USB devices are key security measures that lessen the risk of a system compromise and\n        the exfiltration of information. Despite ITA\xe2\x80\x99s efforts over the last 5 years, it has not\n        effectively protected its systems from such risks.\n\n        In 2007, ITA formed an Architecture Review Board (ARB) with the responsibility of\n        approving software for use on its workstations. With this board\xe2\x80\x99s approval, ITA\n        maintains a list of authorized software for workstations. However, we found over 150\n        instances of unauthorized software present on ITA workstations, including music\n        software, browser add-ons such as toolbars, and other software utilities such as hard\n        drive cleaning tools (see table 1, below). According to ITA officials, these software\n        products existed because they were installed prior to the ARB\xe2\x80\x99s creation.\n\n                        Table 1. Unauthorized Software on ITA Workstations\n                                                              Number of Computers with\n         Disapproved Software Type\n                                                               Unauthorized Software\n         Music software                                                  70\n         Browser add-ons                                                  3\n         Software utilities                                              79\n        Source: results of OIG scan of 117 ITA workstations\n\n        Leaving unauthorized software products on ITA workstations can provide opportunities\n        for an attacker to exploit the software\xe2\x80\x99s vulnerabilities and, thus, increase the likelihood\n        of successful cyber attacks. After we notified ITA about this issue, ITA took actions to\n        remove the unauthorized software. In addition, ITA is working to expand the ARB\xe2\x80\x99s role\n        to approve software used on servers.\n\n        In July 2011, ITA deployed a security tool that controls execution of software on its\n        computing components (e.g., workstations and servers). This tool uses a list of\n        acceptable software, known as a whitelist, to determine which software it will allow.\n        However, we found that ITA, when deploying this security tool, did not thoroughly\n        examine software residing on its computing components. Because of the large number\n        of software products its employees used, ITA decided to include on its whitelist all of\n        the software present on its computing components. This action inadvertently allowed\n        for the execution of existing software infected with malware, as demonstrated by\n        November 2011cyber attack. ITA needs to ensure that only authorized software\n        required for its business operations is allowed to execute.\n\n        In addition, our assessment identified widespread use of unauthorized USB devices with\n        ITA workstations. Of the 117 user workstations we reviewed in seven regional offices,\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                        5\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                OFFICE OF INSPECTOR GENERAL\n\n              we found that 116 (99 percent) have had unauthorized devices connected to them (see\n              table 2, below). Such usage of unauthorized devices can significantly increase the risk of\n              exfiltration of information.\n\n                    Table 2. Unauthorized Device Usage with ITA User Workstations\n                                                                                    Number of\n                                                               Number of User\n                                                                                Workstations Having\n                ITA Regional Office                             Workstations\n                                                                                Unauthorized Devices\n                                                                 Reviewed\n                                                                                     Attached\n                Beijing, China                                       44                 43\n                Moscow, Russia                                       22                 22\n                New York                                              7                  7\n                Rio De Janeiro, Brazil                                9                  9\n                San Francisco                                         9                  9\n                Singapore                                            11                 11\n                St. Louis                                            15                 15\n                                   Total                            117               116\n              Source: results of OIG scan of 117 user workstations\n\n              Department policy7 does not allow use of such personally owned removal media devices\n              and requires agencies to permit removable media use only when there is a valid business\n              reason. ITA did authorize a specific USB thumb drive for portable storage; however, we\n              found that ITA does not have technical controls in place to ensure that users do not use\n              unauthorized USB devices. ITA is currently working to implement a technical solution to\n              prevent use of unauthorized USB devices.\n\n       D. Risks Related to Network Implementation\n\n              The successful compromise of a computing component within ITA\xe2\x80\x99s worldwide\n              enterprise network increases the likelihood that additional components can be\n              compromised. The current implementation of the ITA network allows network traffic\n              to flow freely between all computing components. For example, our testing of ITA\xe2\x80\x99s\n              network confirmed that a user\xe2\x80\x99s workstation located in Beijing, China, was successfully\n              able to communicate with a development database server located at ITA\xe2\x80\x99s main\n              computer center in the United States.\n\n              Given the security weaknesses presented in this report, we are concerned that the\n              current ITA network infrastructure could pose a greater security risk on ITA systems\n              and information. Allowing malicious attackers to easily traverse ITA\xe2\x80\x99s network increases\n              the risk that the attackers could leverage security weaknesses in one component as a\n              conduit to further attacks against other system components. According to ITA officials,\n              the current network is a legacy design dating back a decade or more. ITA also\n              acknowledged the need to migrate to a more secure network, which includes\n              segmentation of workstations from servers.\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n7\n    DOC CITR-005, Removable Media Devices (December 11, 2008).\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                                6\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                  OFFICE OF INSPECTOR GENERAL\n\n\nConclusion\n\nDuring the past year ITA has undertaken activities to improve its IT security posture. However,\nunless ITA makes additional improvements to adequately secure its systems, it is likely to\nencounter additional successful cyber attacks that could seriously harm ITA\xe2\x80\x99s mission.\n\nDuring our audit, we issued two memorandums to ITA\xe2\x80\x99s senior management concerning the\nresults of OIG vulnerability scanning. We further briefed ITA staff on our technical assessment\nresults, and they are taking action to correct the deficiencies identified.\n\nRecommendations\n\nWe recommend that the Under Secretary of Commerce for International Trade:\n\n    1.\t Ensure that system owners and appropriate ITA officials collaborate to identify and\n        categorize all information processed, stored, or transmitted by each system and\n        categorize each system accordingly;\n\n    2.\t Mitigate the remaining vulnerabilities identified by our vulnerability scan assessments;\n\n    3.\t Improve the patch management process by (a) making timely patches for all software\n        products and (b) coordinating within ITA to comprehensively identify and remediate\n        software flaws in a timely manner;\n\n    4.\t Address and fully implement critical security settings in database configuration \n\n        checklists; \n\n\n    5.\t Ensure that only authorized software and USB devices are used on both servers and\n        workstations; and\n\n    6.\t Strengthen the worldwide enterprise network\xe2\x80\x99s security posture by reducing the threats\n        associated with allowing network traffic to flow freely between all computing\n        components.\n\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                      7\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                  OFFICE OF INSPECTOR GENERAL\n\n\nSummary of Agency Response and\nOIG Comments\nIn response to our draft report, ITA concurred with our findings and recommendations. In\naddition, the agency indicated that it has remediated a majority of the findings and is currently\ndocumenting remediation efforts.\n\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                       8\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                  OFFICE OF INSPECTOR GENERAL\n\n\nAppendix A: Objectives, Scope, and\nMethodology\nOur objective was to assess the effectiveness of ITA\xe2\x80\x99s information security program by\ndetermining whether key security measures adequately protect the ITA\xe2\x80\x99s systems and its\ninformation. Using a combination of automated software tools and manual review, we\nperformed internal and external vulnerability assessments on ITA\xe2\x80\x99s systems, including servers,\nworkstations, databases, and network devices. For one system, we limited our scans to the test\nenvironment due to the concern that such activity can disrupt the service. We validated that\nthe test system had very similar configurations to the production systems and shared our\nassessment results with ITA chief information officer (CIO) staff, seeking their feedback to\nvalidate identified vulnerabilities to eliminate false positives. We also interviewed business unit\nofficials as needed to understand ITA\xe2\x80\x99s business practices and information collected, as well as\ninterface with customers.\n\nWe reviewed ITA\xe2\x80\x99s compliance with the following applicable provisions of law, regulation, and\nmandatory guidance:\n\n    \xef\x82\xb7\t FISMA\n\n    \xef\x82\xb7\t IT Security Program Policy, U.S. Department of Commerce, released March 9, 2009\n\n    \xef\x82\xb7\t NIST FIPS publications\n\n             o\t 199 (Standards for Security Categorization of Federal Information and\n                Information Systems)\n\n             o\t 200 (Minimum Security Requirements for Federal Information and Information\n                Systems)\n\n    \xef\x82\xb7\t NIST Special Publications\n\n             o\t 800-37 (Guide for Applying the Risk Management Framework to Federal\n                Information Systems)\n\n             o\t 800-53 (Recommended Security Controls for Federal Information Systems and\n                Organizations)\n\n             o\t 800-60 (Guide for Mapping Types of Information and Information Systems to\n                Security Categories)\n\n             o\t 800-70 (National Checklist Program for IT Products\xe2\x80\x94Guidelines for Checklist\n                Users and Developers)\n\n             o\t 800-115 (Technical Guide to Information Security Testing and Assessment)\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                     9\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                OFFICE OF INSPECTOR GENERAL\n\nWe conducted our fieldwork from January 2012 to May 2012 at ITA Headquarters, Bowie\nComputer Center, and remotely assessed system components at eight regional offices (Beijing,\nMexico City, Moscow, Rio De Janeiro, Singapore, New York, San Francisco, and St. Louis).\n\nOIG performed this audit under the authority of the Inspector General Act of 1978, as\namended, and Department Organization Order 10-13, dated August 31, 2006. We conducted\nthis audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence\nto provide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions.\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                 10\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                             OFFICE OF INSPECTOR GENERAL\n\n\nAppendix B: Agency Response\n                                                                         UNITED STATES DEPARTMENT OF COMMERCE\n                                                                         International Trade Administration\n                                                                         Washtr.gton, D.C.   zoeaa\n\n                                                                                     SEP 2 0 lOll\n          MEMORANDUM FOR: AIIen Crawley\n                                Assistant Inspector General for Systems Acquisition and IT Security\n\n          FROM:                 ReneeMacklin     ~~1-                                                '---\n                                Chief   lnformatio~~                        c..___./\n         SUBJECT:               FY2012 Federal Information Security Management Act Audit:\n                                Improvements are Needed to Strengthen ITA's\n                                Information Technology Security Program Draft Report\n\n         This memorandum serves as the International Trade Administration's response to the\n         Inspector General's Draft FY2012 Report, Improvements are Needed to Strengthen ITA's\n         Information Technology Security Program.\n\n         ITA's Ch ief Information Officer concurs w ith the findings and recommendations outlined in the\n         subject report. The findings accurately reflect the period in which the inspection and testing\n         was conducted. ITA has since remediated majority aft he findings and is in the process of\n         documenting our remediation .\n\n\n         ITA notes the challenges of its global users and environment. Therefore ITA continues to make\n         significant investments in IT Security and has hired a new IT Security Team with strong\n         leadership skills and IT Security skills. The team has instituted a vigorous series of testing and\n         remediation protocols, and has expanded the IT Security Team with experts on both the\n         operations and procedura l branches. In FY12, ITA made significant progress toward\n         consolidating and improving ITA's infrastructure. However we recognize there is more work\n         that needs to be done and that IT Security remains a continuous improvement process.\n\n         ITA OCIO will formally respond to t he Recommendations in the near future.\n\n         Please contact Jeffery Jackson, Chief Information Security Officer, at 202\xc2\xb7482-5236, if you have\n         any questions.\n\n         cc: Ken Hyatt, Acting Deputy Under Secretary, ITA\n             Simon Szykman,Chief Information Officer, DOC\n             Tim Hurr, Acting Director, Office of Cyber Security, DOC\n            Jeffery Jackson, Chief Information Security Officer, ITA\n            Justin Guz, Audit liaison, ITA\n            Susan Schultz Searcy, Audit Liaison Office of the Chief Information Officer, DOC\n\n\n\n                                                                                                              , .. u ....... .,,.~\n                                                                                                              T R A D I\n\n\n\n\n011200000142 \n\n\n\nFINAL REPORT NO. OIG-12-037-A                                                                                                        11\n\x0c"